We Need to Take Privacy Harms More Seriously
People have been debating the merits and scale of privacy harms since the internet became integral to day-to-day life. But despite these ongoing discussions, there’s been a disconnect between tangible real-world events and the tone surrounding the conversation. Privacy harms are not abstract, a boogeyman made to scare people; they are tangible and becoming more dangerous as technology develops.
Yet both academic papers, which have sought to study privacy harms and typically feature rigid definitions of categories of privacy harms that fail to capture the real anxiety many feel over the issue, as well as the corporate space, where data privacy and governance initiatives are framed by regulatory compliance rather than explicitly and primarily minimizing harm to users, underplay the issue.
The typical business approach is understandable, as it’s much easier to measure compliance than privacy harms, but that doesn’t mean the data privacy structures put in place cannot speak to the very real effect of harm.
The Growing Scale of Privacy Harms
Most enterprise companies are taking in megabytes of data every single second. That means personal data on hundreds of thousands if not millions of people, covering financial details, private lives, and in some instances, geolocation data.
And even if an organization has its data governance performing smoothly, the average corporate data stack has grown to feature over 700 data systems. That means higher demands than ever for 3rd party vendor risk assessment, as data breaches have become more and more common year-over-year.
This web of data breaches and cyberattacks means that when one company gets hit, the damage spreads through entire business networks, quickly accumulating to affect consumers.
What isn’t helping is companies sharing user data with third parties, whether intentionally or not (which would speak to another data security issue such as data leakage via improperly set up SDKs or APIs). From the politically charged rhetoric around reproductive rights, we have a situation like Flo Health, a fertility tracker, sharing sensitive data with Big Tech.
Or worse, surveillance products like the Ring doorbell app actually having numerous third-party trackers in the system, or the widespread overcollection of data most cars operate on, or the calamitous 23andMe data breach putting customer DNA data out onto the black market.
The scale of data flows and connections throughout organizations today pose innumerable touch points for bad actors or even mere mistakes to spiral into much larger privacy issues. From identity theft to discriminatory biases and the legitimate physical harms now in-play thanks to more apps using geolocation data than ever, the threat of privacy harms is too great to not focus on when discussing privacy.
This trend isn’t changing soon either, as the FBI has warned cybercriminals are increasingly adopting AI in scams.
How Companies Should Approach Privacy Harms
From a consumer perspective, the best defense against this is knowledge. Know (and exercise) your data rights, understand what it means when you give various permissions to different apps and try to understand the types of data you share with organizations.
But the majority of the solution rests on companies continuing to embrace data privacy as a proactive, rather than reactive, part of business. Some of that requires companies to take a forward-thinking stance on privacy and how they communicate that to customers.
Regulations often require privacy notices to list why the organization is collecting and processing data, but going beyond that to also clearly explain the risks and potential privacy harms of collecting that data is something organizations that collect sensitive data should consider doing.
From a starting point, if your organization has not conducted an audit yet this year, now is the time. That involves:
- Completing a comprehensive data map to see where data lives
- Deleting redundant customer information or risk-heavy data systems
- Ensuring end-to-end encryption or anonymization is in place and working properly
Those are the building blocks for a successful data privacy program, and to go further, organizations must champion privacy by design, automate data retention policies, follow data minimization protocols (especially with regulation such as Maryland’s Online Data Privacy Act mandating strict data minimization principles), and implement zero-trust architecture.
Once those technical aspects are in place, only then can a company transform its culture to universally prioritize and safeguard user privacy. Touting regulatory compliance is typically a floor, as privacy laws have historically been written not to set a high bar for privacy, but to discourage the worst offenses.
By gauging your privacy program on how it protects your consumers alongside how it measures up to regulatory requirements, you set the stage for more productive conversations around maintaining consumer privacy and eliminating risk and possible harms. That type of privacy-first culture, when combined with mechanisms in place for consumers to access and delete their own data, to clearly state how, why, and for how long you use customer data, and to easily maintain a dialogue with your company about privacy, will thrive in both brand and user happiness.
Privacy Tools You Need to Thrive
If you're not fully invested in your privacy program, there is little way to minimize the harms that could affect your customers, and ultimately, your business. Data breaches and cyberattacks have become a question of not if they affect an organization, but when and how seriously they do.
That reality and the powder keg of sensitive data most organizations are sitting on pose an existential threat to security online, which is precisely why companies need a privacy-first approach in today’s world.
Several years ago, that might have sounded fantastic but impractical given the limitations of data mapping and risk assessment, but that is no longer the case.
MineOS’ data mapping detects over 95% of an organization’s data systems, with AI asset detection and machine learning-powered suggestions built into the system to create a fully formed foundation for any organization’s privacy program. With no-code automation to manage day-to-day tasks like DSR management, data classification, and assessment building, privacy professionals are freed up to focus on the strategy and messaging needed to truly minimize privacy harms.
Think your organization would benefit from a modern data governance platform? Get an inside look here.